C2

Man-on-the-Side Attacks on the Internet - Erik Hjelmvik

Maximizing IOC Impact

| | C2, IOC, MISP, OTX, Threat Intel, Threat Intelligence, ThreatFox
Ive been thinking about threat intelligence lately. Specifically: indicators of compromise (IOC), how and where to share them to cause maximum pain to adversaries and help as many organizations as possible protect ...
NETRESEC Network Security Blog
CrowdStrike Glassworm Takedown Exposes Developer Supply Chain Risk

CrowdStrike Glassworm Takedown Exposes Developer Supply Chain Risk

| | C2, CrowdStrike, GlassWorm, supply chain
CrowdStrike announced it has taken down the Glassworm botnet, a global threat campaign attacking software developers through open source tools. The company simultaneously struck Glassworm’s four command-and-control (C2) channels alongside collaborators Google ...
Security Boulevard
Mythic Development Workflow with @its_a_feature_

Mythic 3.3 Beta: Rise of the Events

| | C2, mythic, red-team-tools, research
A brief overview of Mythic 3.3’s new featuresEventing FlowsMythic 3.3 UpdatesMythic 3.3 has too many updates to mention them all here, so if you want a deeper dive into the change log, please check ...
Posts By SpecterOps Team Members - Medium

DTEX i3 Threat Advisory Provides Detections for LOTL, C2 Abuse

| | C2, DTEX i3 Team, Dtex Systems, i3, Insider Risk Management, lotl, Threat Advisory
Workspace applications are increasingly being weaponized as a Living off the Land (LOTL) technique, as threat actors find new ways to break in and execute attacks. The DTEX i3 Team has issued ...
DTEX Systems Inc
Screenshot of original infection email from Unit 42

Emotet C2 and Spam Traffic Video

| | 37cdab6ff1bd1c195bacb776c5213bf2, 51c64c77e60f3980eea90869b68c58a8, C2, Command And Control, ec74a5c51106f0419184d0dd08fb05bc, Emotet, fd4bc6cea4877646ccd62f0792ec0b62, JA3, JA3S, pcap, smtp, SMTPS, Spam, spambot, STARTTLS, video, videotutorial, Windows Sandbox
This video covers a life cycle of an Emotet infection, including initial infection, command-and-control traffic, and spambot activity sending emails with malicious spreadsheet attachments to infect new victims. The video cannot be ...
NETRESEC Network Security Blog
SEC-T 0x0D: Erik Hjelmvik - Hiding in Plain Sight - How the SolarWinds Hack Went Undetected

How the SolarWinds Hack (almost) went Undetected

| | ascii-art, backdoor, C2, dns, SEC-T, SolarWinds, Solorigate, Stage 2, STAGE2, SUNBURST, video, YouTube
My lightning talk from the SEC-T 0x0D conference has now been published on YouTube. This 13 minute talk covers tactics and techniques that the SolarWinds hackers used in order to avoid being ...
NETRESEC Network Security Blog
Corelight Sensors detect the ChaChi RAT

Corelight Sensors detect the ChaChi RAT

| | blackberry, C2, ChaChi, Command And Control, Corelight Labs, dns, pcap, rat, remote-access Trojan, SERVFAIL, Vern Paxson, Wireshark
By Paul Dokas, Keith Jones, Anthony Kasza, Yacin Nadji, & Vern Paxson – Corelight Labs Team Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” This sample was interesting ...
Bright Ideas Blog
Detect C2 ‘RedXOR’ with state-based functionality

Detect C2 ‘RedXOR’ with state-based functionality

| | C2, Corelight Labs, http, Intezer, Linux, RedXOR, Zeek
By Ben Reardon, Corelight Security Researcher Recently a very interesting Linux-based command-and-control (C2) malware was described by the research team at Intezer. As usual there is a set of simple network-based IOCs ...
Bright Ideas Blog
SolarWinds Backdoor State Diagram

Targeting Process for the SolarWinds Backdoor

| | avsvmcloud.com, backdoor, C2, CNAME, dns, fireeye, Microsoft, SolarWinds, Solorigate, Stage 2, STAGE2, SUNBURST, targeted
The SolarWinds Orion backdoor, known as SUNBURST or Solorigate, has been analyzed by numerous experts from Microsoft, FireEye and several anti-virus vendors. However, we have noticed that many of the published reports ...
NETRESEC Network Security Blog
Sunburst stages 1 to 3 (passive, associated and active)

Finding Targeted SUNBURST Victims with pDNS

| | 1dbecfd99ku6fi2e5fjb, 2039AFE13E5307A1, 22334A7227544B1E, 4n4vte5gmor7j9lpegsf, 5qbtj04rcbp3tiq8bo6t, associated, avsvmcloud, C2, deftsecurity, DNSSEC, E258332529826721, ext, flag, freescanonline, Netresec, pDNS, SolarWinds, Solorigate, STAGE2, SUNBURST, SunburstDomainDecoder, thedoccloud
Our SunburstDomainDecoder tool can now be used to identify SUNBURST victims that have been explicitly targeted by the attackers. The only input needed is passive DNS (pDNS) data for avsvmcloud.com subdomains. Companies ...
NETRESEC Network Security Blog
Load more